So I'm working on a greenfield deployment with a Production platform (3 vSAN nodes) and a DMZ platform (2 vSAN nodes) and I'm wondering if there would be any use to putting the DMZ vCenter/ESXi cluster management IPs on a different VLAN/subnet than say the one used for Production vCenter/ESXi? My argument is that it would be easier for everything Management to be in the same VLAN, this way for example security admins won't have to go through a lot of tasks and ACLs in firewall authorizations for LAN end-users who might wanna access vSphere Web Clients for both clusters, or maybe if there's a platform upgrade via Internet it would be easier to authorize Internet on one subnet rather than two...
Otherwise if there's any best practices you know please share them,
It's depends on your network infrastructure design and technologies used in your infrastructure.
But different VLAN for management has no benefit, DMZ can be logical and physical zone. So you can use different network interfaces on your servers for different traffics but you can keep management traffic in same VLAN.
Best practice is follow your company security policies and make sure that there is no violation in your configuration.